Google recently announced at its cloud conference in Tokyo that it will begin offering “high-risk” G Suite accounts a version of its own, enhanced in-house security.
Called the Advanced Protection Program, the set of security protocols is currently rolling out to G Suite users in a beta program.
The program requires the use of physical security keys to access accounts, in addition to a password, and it blocks any third-party apps that haven’t been whitelisted by G Suite administrators.
It also includes a more advanced email scanning method for virus threats and prohibits certain file types from being able to be downloaded.
“As a trade-off for this tightened security, the functionality of some of your apps may be affected,” Google warns. “Most third-party apps that require access to your Gmail or Drive data, such as travel tracking apps, will no longer have permission. And you will only be able to use Chrome and Firefox to access your signed-in Google services like Gmail or Photos. Apple’s Mail, Calendar, and Contacts apps and Mozilla’s Thunderbird will continue to be able to access your Google data as normal.”
According to the company, security keys help protect unsuspecting users from phishing attacks that seek account login information. “Even if you do fall for a phishing attack that discloses your username and password,” the company says, “an unauthorized user won't be able to access your account without one of your physical security keys.”
Google recommends the program for IT administrators, executives, reporters, activists, political campaign teams and “employees in regulated or high-risk verticals such as finance or government.” That said, anyone who uses a security key can sign up for the beta program.
The new program essentially makes the tools easier for admins to roll out, by bundling the associated security services, which were already separately available, into one setting.
The enhanced security also makes it harder for a user to recover an account on a new device. Users who lose both their security keys will need the help of an admin to recover the account, in an aim to thwart hackers from using automated recovery tools to access a G Suite account.
Using the service means each account will need two keys, with a button that must be pressed to unlock the account. One key is used to log in and the other is a backup in case the first key is lost. There’s no cost associated with the program except for the keys, which run about $50.
The keys use the FIDO U2 (Universal Second Factor) standard. According to the FIDO Alliance, the industry association behind the standard, “FIDO standardizes the authentication protocol used between the client and the online service. The protocol is based on standard public key cryptography – the client registers a public key with the online service at initial setup. Later, when authenticating, the service verifies that the client owns the private key by asking it to sign a challenge. The protocol is designed to ensure user privacy and security in the current day state of the internet.”